beating up on small business security

I read a few bits in a row today about small business security which made me kinda sit back and decide I disagree. I read a piece from Andy, another from Rothman, and another that Rothman pointed to over at SmallBizResource. I’m sure I’ll read some more in the next few days as I attempt to get caught up on my reading in this rather busy week. For now, let me rant a bit and enjoy some foam being flung from my lips.

First, security is easier than a red-headed step-child to get mad at (that’s so un-PC, but that’s why I’m not a professional blogger…). You can poke holes at it until you turn blue and the sky turns into pudding. That’s the nature of the beast we attempt to control and tame every single day, and the grim reality is there will always be holes and improvements and places where we can say, “they don’t get it” or “they’re not taking care of security.” By the way, eventually business is going to tire from this fact that we can always criticize and give security exceptions; eventually this will bite us in the ass as business “settles” for checklist security and nothing more. (But I guess we at least get that far, eh?)

Second, securing a Fortune 50 is a hell of a lot different than securing a 500-person company which is also different from securing a 50-person company. In fact, I really think securing those smaller companies would actually be easier given a knowledgeable geek. Just like in warfare, they are nimble, quick, have a low profile, and tend to be pretty unpredictable and all without the slow-moving girth of a politically-motivated blimp. In other words, I don’t think size correlates with security on any other level than coincidental. I don’t think there’s causation here. (More on this later.)

I still keep my list of the top 5 things I would suggest all small businesses do, not to become compliant with PCI or some other checklist, but to rather make big strides towards security. These 5 things can make a huge move towards being more secure, especially for a small business. They’re not really that hard, and I think we overestimate the number of companies who don’t do them (and yes, that’s coming from me, the skeptic who thinks all companies are basically fucked and full of holes, if not from an outside perspective, then from an insider).

Third, I really don’t think the article on SmallBizResource paints with the right colors. The article attempts to paint that SMBs are doing poor security by holding up that many of them are “currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard.” So? This is a problem with checklist security. So what if they are storing data? How are they storing that data? So what if their front door is unlocked when they have a mantrap, cameras, and internal doors protecting other areas of the company? The act of storing data adds to risk and may be against a compliance regulation, but that is not necessarily insecurity at work. Likewise, not following a security guideline and instead working by common sense can be just fine…unless you want to assume that no one has good common sense. I know I don’t follow some blueprint for my own home security and instead follow some common sense, but that itself doesn’t mean I’m insecure. And what if they don’t store that data but also don’t have a properly configured firewall and anti-virus software? Yes, at least they’re not going to hemorrhage millions of credentials, but they are certainly not secure.

Fourth, I said I would get back to my comment on how size does not necessarily correlate to security. I truly think security is a function of the quality and intelligence of our security and IT professionals. We need more quality people securing things and running IT and managing the data. Andy brushed up against this in his post. I don’t think SMBs don’t get it because they’re SMBs or have less employees or less resources, per se. I think they don’t get it because their IT staffers don’t get it and haven’t had a chance to get it. There’s still an awful, awful number of IT techs who are still learning just how to DO things, let alone do them in a secure fashion.